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(57) ABSTRACT 

A method and a system for establishing network tunnels are 
disclosed. In one embodiment, a transport action is identified 
in response to packet parameters. Once the transport action 
is determined, the transport action is pushed onto a pending 
stack. When a tunnel action is. subsequently, identified in 
response to the packet parameters, the tunnel action is also 
pushed onto the pending stack. Upon completion of rule 
evaluation, at least one tunnel is established according to a 
tunnel action stored in the pending stack. ITie action stored 
at the top of the pending stack is performed first and the 
action stored at the bottom of the pending stack is performed 
last. 

21 Claims, 7 Drawing Sheets 
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METHOD FOR ESTABLISHING IPSEC panying drawings of various embodiments of the invention, 

TUNNELS which, however, should not be taken to limit the invention 

to the specific embodiments, but are for explanation and 

BACKGROUND OF THE INVENTION understanding only. 
1 Field of the Invention ^ FIG. 1 illustrates one embodiment of a network having 

. . , , 11 * .u c f various hosts and nodes. 
The present mvention relates generally to the field of 

network communication and, more specifically, the present FIG- 2 lUustrates one embodiment of a network having 

invention relates to a method for establishing network multiple tunnels. 

tunnels. FIG. 3 illustrates one embodiment of a network system 
2. Description of the Related Art ""^ used to support network trafiic. 

Computer technology is continuously advancing, provid- FIG. 4 illustrates one embodiment of a tunnel configura- 

ing newer computer systems with continuously improved tion. 

performance. One result of this improved performance is an 5 ^ ^y^^y. diagram iUustrating one embodiment of 

increased use of computer systems by individuals in a wide ^^^j^ ^^^^y. completed stack, 

variety of business, academic and personal applications. In ^ . „ u n * ^ j- . c 

some instances, these computers are linked together by a ^ ^ ^ ^f.^/^.^^^^ illustrating an embodiment of a 

network, such as, for example, the Internet, so that the P^^^^ for estabhshmg a tunnel. 

systems can communicate with each other using network FIG- 7 is a flowchart illustrating an embodiment of a 

communications. process for setting up tunnels using two stacks. 

In a typical network communication, a data packet, DETAILED DESCRIPTION 
which, for example, may contain audio and video ("AV") 

data, is used to transmit data between the systems. A packet ^ method and a system for establishing tunnels in 

is typically organized into a format according to a conven- response to rules are described. 

tional network protocol, such as, for example, IP ("Internet In the following description numerous specific details are 
Protocol"). IP allows a packet to pass across the Internet 25 set forth in order to provide a thorough understanding of the 

with the best -effort packet delivery service. present invention. It will be apparent, however, to one 

Aproblera with a conventional packet transmission across having ordinary skill in the art that the specific detail need 

a network, such as the Internet, is the security of the packet. ^ employed to practice the present invention. In other 

In other words, the content of the packet could be captured instances, well known materials or methods have not been 
by an unintended party during the course of transmitting 3° described in detail in order to avoid obscuring the present 

across the network. To enhance the packet security, various invention. 

schemes have been developed, such as, for example, Some portions of the detailed descriptions that follow are 

encrypted tunnels. presented in terms of processes and symbolic representa- 

A tunnel is a virtual path that can be established between tions of operations on data bits within a computer memory, 

network nodes. A typical tunneling process encapsulates a These processing descriptions and represenUtions are the 

packet with the source network into an intermediate network tools used by those of [or] ordinary skill in the data pro- 

and the encapsulation is later removed before the packet cessing arts to most effectively convey the substance of their 

reaches its destination node. Transport rules provide services work to others of ordinary skill in the art. A process is here, 

that allow two or more machines to set up sessions so that and generally, conceived to be a self-consistent sequence of 

machines can communicate with each other. Accordingly, a steps leading to a desired result. These steps are those 

set of IPSEC (Internet Protocol Security) transport mode requiring physical manipulations of physical quantities, 

rules and tunnel mode rules are typically used to enhance the Usually, though not necessarily, these quantities take the 

packet security. forn^ of electrical or magnetic signals capable of being 

However, a problem associated with the currently stored, transferred, combined, compared, and otherwise 

employed scheme is that the scheme performs only the first manipulated. It has proven convenient at times, principally 

rule that it encounters. In other words, the currently for reasons of common usage, to refer to these signals as 

employed scheme performs the first rule, which could be ^^^^ values, elements, symbols, characters, terms, numbers, 

either an IPSEC transport mode rule or an IPSEC tunnel cetera. 

mode rule, that it encoimters and ignores the remaining It should be borne in mind, however, that all of these and 

i^les. similar terms are to be associated with the appropriate 

Therefore, there is a need to have a mechanism for physical quantities and are merely conveniem labels applied 

establishing tunnels in response to multiple IPSEC rules. to these quantities. Unless specifically stated otherwise as 

apparent from the following discussions, it is appreciated 

SUMMARY OF THE INVENTION tjj^t throughout the present invemion, discussions utiUzing 

A transport action is, in one embodiment, identified in terms such as "processing" or "computing" or "calculating" 
response to packet parameters. Next, the transport action is or "determining" or "displaying", et. cetera, refers to the 
pushed onto a pending stack. When a mnnel action is action and processes of a computer system, or similar 
identified in response to the packet parameters, the tunnel electronic computing device, that manipulates and trans- 
action is pushed onto the pending stack. At least one tunnel forms data represented as physical (electronic) quantities 
is set up in response to the pending stack. The tunnel action within the computer system's registers and memories into 
stored at the top of the pending stack is perfonned first and other data similarly represented as physical quantities within 
the tunnel action stored at the bottom of the pending stack the computer system memories or registers or other such 
is performed last. information storage, transmission or display devices. 

BRIEF DESCRIPTION OF THE DRAWINGS OVERVIEW 

The present invention will be understood more fully from A mechanism of establishing multiple tunnels for trans- 

the detailed description given below and from the accom- porting a packet is described. Actions, in one embodiment, 
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include transport actions, which specify, how a packet characteristics, which includes, but is not limited to, speed 

should be transported, and tunnel actions, which indicate of the packet in transmission and security requirements, 

how to set up possible muUiple tunnels. The mechanism, in For example, host 130 sends a packet to host 102 where 

one embodiment, includes a pending stack and a completed the packet is first sent to server 106. The next step is to send 

stack. The pending stack includes an order of actions to be 5 the packet to server 102 from server 106. The packet has 

performed. The completed stack indicates an order of th^ee alternative paths to reach server 102. The first path is 

actions to be removed or torn down. to send the packet from server 106 to server 102 via server 

In one embodiment, a transport action is identified in ^^J^^^ connections 152 and 150. The second path is to 

resDonse to oacket oarameters Packet Darameters mav send the packet from server 106 to server 102 via server 108 

response to packe paranaeters. Jacket parameters may using connections 154 and 156. The third path is to send the 

mclude, but are not limited to, source address, destmation lO packet directly from server 106 to 102 using connection 158. 

address, and protocols. Once a transport action is ^^^^ ^ preferred path, in this example, 

determined, the transport action is pushed onto a pending because the packet takes less hops between servers to reach 

stack. After completion of rule identification, at least one destination server and consequently, the packet may take 

action may be performed according to an action stored in the time to reach server 102. Once the packet reaches server 

pending stack. The action stored at the top of the pending 15 ^q2^ node 120 receives the packet from server 102. 

stack is performed first and the action stored al bottom of the Accordingly, the network administrator may allow the 

pending stack is performed last. Tunnels are, in one packet to take the third path if the packet has a high priority 

embodiment, established in this order because earlier mn- status and allows the packet to take the first or second path 

nels are necessary so that the host may establish the subse- ^^^^ packet has a low priority status, 

quent tunnels. 20 js^gtwork 101 may have more than four servers and more 

When a tunnel or transport action is performed paths may be available to a packet to reach the destination 

successfully, the action is stored or pushed onto a completed noje. Since different path offers different performance , the 

stack. However, when an action from the pending stack has network administrator needs various rules and conditions to 

failed to perform, such as, for example, a tunnel could not manage and control overall network communication perfor- 

be estabUshed at the present time, the tunnels, which are mance. Rules and conditions commonly involve QOS, secu- 

akeady established, are going to be torn down. The remov- ^ty requirements, and the like. 

ing tunnel action stored at the top of the completed stack is pj^ 2 iUustrates one embodiment of a network 200 

performed first and the action stored at the bottom of the having multiple tunnels. Referring back to FIG. 2, a sender 

completed stack is performed last. ^ode 202, a receiver node 210, and the Internet 216 are 

FIG, 1 illustrates one embodiment of a network configu- shown. The Internet 216 further includes three network 

ration 100 having various nodes and hosts. Referring to FIG. nodes 204, 206, 208, which could be security gateways and 

1, a network 101, hosts 120, 130, 132, 140, and nodes 110, termination points for tunnels. The first tunnel, Tl 220 is 

112 122. 124, 126, 134, and 136 are shown. A host is usually coupled between sender node 202 and node 204, while the 

a host system, such as, for example, a conventional com- second tunnel T2, 222 is coupled between node 204 [202] 

puter or a cluster of computers, and can support multiple and node 206. The third tunnel T3 224 is coupled between 

nodes and sub -hosts. A function of the host is to distribute node 206 [202] and node 208. In one embodiment, the 

various packets to various nodes that attach to the host. tunnels Tl 220, T2 222, T3 224 may be encrypted to 

A node is a connecting point on a network where a device enhance IP security. These encrypted tunnels may be used to 

or devices can be attached to the node. A typical device can ^ create Virtual Private Networks "VPNs", 

be a PC "personal computer", a printer, a fax machine, a A tunnel, in one embodiment, is a virtual network path 

telephone, and the like. Anode can also connect to another that may use multiple network protocols to deliver a data 

node or nodes. packet. Tunnels may be established between security gate- 

Network 101 contains four network servers 102, 104, 106, ways and hosts. In one embodiment, a tunnel transports a 

and 108, which are interconnected using various conven- 45 packet using a foreign protocol across a network by encap- 

tional connections 15Q-158. In one embodiment, network sulating the packet into a tunnel format. A tunnel encapsu- 

101 is the Internet and the network may contain more than lates a packet and transports the encapsulated packet across 

four servers. In this embodiment, server 102 is connected to the network using the foreign protocol. The foreign protocol 

server 104, 106, and 108 using connection 150, 158, and refers to a network protocol that is different from the 

156, respectively. Also, server 106 is connected to servers 50 protocol specified by the packet. 

104 and 108 using connections 152 and 154, respectively. A VPN relates to a mechanism of tunneling and it 

In one embodiment, network 101 is connected to hosts provides privacy and authentication on public networks, 

120, 130, 140 and node 110 using conventional network such as, for example, the Internet. In one embodiment, a 

connections. In this embodiment, while host 120 is con- VPN may encrypt the packets to improve packet security, 

nected to nodes 122, 124, and 126, host 130 is connected to 55 For example, a packet from a VPN using an Internet tunnel 

node 136 and host 132. Host 132 is further connected to is encrypted before crossing the Interact and decrypted at the 

node 134 and node 110 is connected to node 112. Other receiving end, typically the sending host*s local network 

nodes and hosts can be connected to network 101, but they (i.e., corporate network), 

are not necessary to understanding the invention. A host is essentially a node on a network, and it has an IP 

Each node or host can access or communicate with any 60 (Internet Protocol) address. Authentication is a security 

other node or host on the network. When a source node, in method which authenticates one network node to another 

one embodiment, sends a packet to a destination node, the (i.e., proves the identity of the node). A security gateway 

packet may have several alternative paths or routes to reach (SG) is a computer or a group of computers that route 

the destination node. In other words, a packet, which is sent packets. In one embodiment, SG also provides filtering and 

from a source node, may have options to take one of many 65 security functions. 

paths or routes to reach the destination node or host. Sender node 202 and receiver node 210, in one 

However, a different path or route contains different embodiment, could be a machine, an entity, a cluster of 
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machine, or an individual computer. A machine refers to a section and a data section 421. The header section of the data 

computer, a server, or a network router. User entity 212, in packet 420, in one embodiment, includes a source address, 

one embodiment, could be a machine, a computer, a group a destination address, a source port, a destination pen, and 

of computers, or a corporation. In one embodiment, user protocol, also known as 5-tuple. In an alternative 
entity 212 could be a host, which is connected to an 5 embodiment, tunnels 440, 450, and 460 are IPSEC (Internet 

individual user 214. protocol security) tunnels. 

,in. J J oft-i ■ „u A- . Each tunnel, in one embodiment, is organized into a 

When sender node 202, m one embodiment, wants to send . ,^ ^. -ri ^ * e ,u 

, , , . J -^^A J J mi c * u * header section and a data section. The data section or the 

a packet to receiver node 21^ sender node 202 first has to ^^^^^ encapsulates the entire packet or another tunnel, 

establish a set of tunnels 11, 12, T3 in that exact order. Once j^^^j^^^ encapsulate the packet. In an alternative 

the tunnels are establshed, the packet is transmitted acro^ 10 ^^^^j^^^j^ ^^^j^j j^^^^^^ ^^ transporting a 

the network via multiple tumiels to reach receiver node 210. ^^^^^^ ^^j;^^ ,^^^,^5 j^dudes. but is not 
It should be appreciated that tunnel provides secunty for the 

to, a field of source address, destination address, and 

message that travels across the network. For example^ the ^^^^^ example, data section 446 of tunnel 440 

secunty may be a process of encrypting the data. Other encapsulates data packet 420 and data section 456 of tunnel 

nodes or machmes may be added m network 200, but they ^^^^^^^^^^ ^^^^1 440. Tlie header section of tunnel 

are not necessary to understanding the mvention. includes a source address 442, a destination address 

FIG. 3 illustrates one embodiment of a system 300 which 444^ and a protocol 445. 

may be used as a network server, a SG and the like. System Referring back to HG. 4, tunnel 460, which is the first 

300 comprises a bus or other communication means 311 for {unml from the source node, includes a source node address 

communicating information, and a processor 302 coupled 452 and a destination address SGI (security gateway one) 

with bus 311 for processing information. Processor 302 454^ ^y^h could be VPN 1. The data section 466 of tunnel 

includes microprocessor, but is not limited to a 459 encapsulates tunnel 450. Tunnel 450 is the second 

microprocessor, such as an Intel brand Architecture j^nnel from the source node and it includes A452 as the 

Microprocessor, manufactured by Intel Corporation of Santa source address and SG2 (security gateway two) 454 as the 

Clara, Calif., the corporate assignee of the present invention. destination address. The data section 456 of tunnel 450 

Processor 302 may also be another processor such as the encapsulates tunnel 440. Tunnel 440 is the third tunnel from 

PowerPC™, Alpha'^M, and the like. source node and it includes A442 as the source address 

System 300 further comprises a random access memory and SG3 (security gateway three) 444 as the destination 

(RAM), or other dynamic storage device 304 (referred to as address. The data section 446 of tunnel 440 encapsulates 

main memory) coupled to bus 311 for storing information data packet 420. 

and instructions to be executed by processor 302. Main jn operation, a data packet, such as, for example, data 

memory 304 also may be used for storing temporary vari- p^^ket 420 is to be transmitted from address A to address B. 

ables or other intermediate information during execution of when data packet 420 indicates the tunneling process for the 

instructions by processor 302. Digital system 300 also packet security, three tunnels 440, 450, 460 may be estab- 

comprises a read only memory (ROM) and/or other static ]ishQd, After passing a tunnel successfully, a layer of encap- 

storage device 306 coupled to bus 311 for storing static sulation that corresponds to the tunnel just passed is 

information and instructions for processor 302, and a data removed and the next encapsulation, if any, is used for the 

storage device 307, such as a magnetic disk or optical disk packet transaction. When all encapsulations of the tunnels 
and its corresponding disk drive. Data storage device 307 is ^ are removed, the data packet 420 is transmitted to the 

coupled to bus 111 for storing information and instructions. destination node. 

Digital system 300 may further be coupled to a display piG. 5 is a block diagram 500 illustrating one embodi- 

device 321, such as a cathode ray tube (CRT) or liquid ment of a storage configuration having a pending stack 502 

crystal display (LCD), coupled to bus 311 for displaying and a completed stack 504. The pending stack 502 stores 
information to a computer user. An alphanumeric input 45 multiple actions that indicate a sequence of tunnels to be 

device 322, including alphanumeric and other keys, may built. In one embodiment, the physical storage locations of 

also be coupled to bus 311 for communicating information ihe pending slack indicates an order of actions to be per- 

and command selections to processor 302. An additional formed. Actions, in one embodiment, include transport 

user input device is cursor control 323, such as a mouse, actions and tunnel actions. The completed stack 504 stores 

trackball, trackpad, stylus, or cursor direction keys, coupled multiple actions that indicate a sequence of tunnels to be torn 

to bus 311 for commimicating direction information and down. Like the pending stack, the physical storage locations 

command selections to processor 302, and for controlling of the completed stack indicates an order of actions to be 

cursor movement on display 321. performed. 

Another device which may be coupled to bus 311 is hard For example, pending stack 502 contains action VPNl 
copy device 324, which may be used for printing 55 510, VPN2 512, VPN3 514, and receiver 516 where action 

instructions, data, or other information on a medium such as VPNl 510 is stored at the top of pending stack 502 and 

paper, film, or similar types of media. Furthermore, a sound action receiver 516 is stored at the bottom of the pending 

recording and playback device, such as a speaker and/or stack. Action VPNl 510, in one embodiment, requires the 

microphone may optionally be coupled to bus 311 for audio network to establish a tunnel between the source node and 
interfacing with computer system 300 [100]. Note that any go VPNl. During the execution, action VPNl 510 will be 

or all of the components of system 300 and associated executed first and action receiver 516 will be executed last, 

hardware may be used in the present invention. However, it Similarly, completed stack 504 contains action receiver 526, 

can be appreciated that other configurations of the computer VPN3 524, VPN2 522, and VPNl 520 where action receiver 

system may include some or all of the devices. 526 is stored at the top of completed stack 504 and action 

RG. 4 iUustrates one embodiment of a tunnel configura- 65 VPNl 520 is stored at the bottom of completed stack 504. 

tion 400. Data packet 420, and three tunnels 440, 450, and Like pending stack 502, action receiver 526 is performed 

460 are shown in FIG. 4. Data packet 420 includes a header first and VPNl 520 is performed last. 
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In operation, if a transport rule, such as, for example, a 
IPSEC transport mode rule, is matched with the packet, a 
corresponding transport action associated with the transport 
rule is pushed onto pending stack 502. In one embodiment, 
the matching process involves a comparison between the 5 
5-tuple of the packet and the 5-tuple listed in the rule. 
Similarly, if a tunnel rule, such as, for example, a IPSEC 
tunnel mode rule, is matched with the packet, a correspond- 
ing tunnel action associated with the tunnel rule is pushed 
onto pending stack 502 . This is repeated until no more tunnel lO 
rules match. After completion of rule evaluation, pending 
stack 502 is ready for execution. 

During the execution, the action situated on the top of 
pending stack 502 is popped and the action is executed. If 
the action is successfully executed, the action is pushed onto ^5 
completed stack 504. As discussed previously, the action 
could, for example, build a tunnel The next action from the 
top of pending stack 502 is popped and the execution is 
performed. The process repeats until the bottom of pending 
stack 502 is reached. When all actions are executed 20 
successfully, completed stack 504 stores all actions in an 
order where the first action executed is located at the bottom 
of completed stack 504 and the last action executed is 
located on the top of completed stack 504. In other words, 
completed stack 504 stores the actions in a reverse order as 25 
the actions stored in pending stack 502. 

However, if an action from pending stack 502 is executed 
unsuccessfiilly and completed stack 504 is not empty, a 
process of tearing down or removing the established timnels 
should be performed. Since completed stack 504 stores the 
actions in an opposite order as the actions stored in pending 
stack 502, the tunnel that was built from the last successful 
action is torn down first and the tunnel built from the first 
successful action is torn down last. In other words, the tunnel 
situated the farthest from the source node is torn down first 
and the timnel situated the closest from the soiu'ce node torn 
down last. Thus, completed stack 504 gives a sequence of 
removing unnecessary tunnels. 

Setting up a tunnel, tearing down a tunnel, or maintaining 
a tunnel consumes network resources. Thus, the overall 
performance of a network would be improved if building 
unnecessary tunnels are reduced, which also reduces the 
number of unnecessary tunnels to be removed. Pending 
stack 502, in one embodiment, facilitates building one 
tunnel at a given time since process pops one action from 
pending stack 502 at a time. Sinailarly, completed stack 504 
facilitates removing or tearing down one tunnel at a given 
time. Accordingly, setting up or tearing down one tunnel at 
a time reduces unnecessary tunnels to be built, and 
consequently, reduces unnecessary tunnels to be torn down. 
For example, if ten tunnels are needed for transporting a 
packet and if they are established at the same time, nine 
tunnels may require to be torn down when one of the ten 
tunnels fails to establish. Also, if the tunnels are established 
one at a time and if the fifth mnnel has failed to establish, 
only four tunnels are required to be torn down. 

FIG. 6 is a flowchart 600 illxistrating an embodiment of a 
process for establishing tunnels. A process begins at start 
block and proceeds to block 602. At block 602, a packet is 50 
received. After block 602, the process proceeds to block 604 
where the process identifies transport and tunnel rules and 
sets up the pending stack. Upon moving to block 610, the 
process examines whether the pending stack is empty. 

If block 610 is true, the process proceeds to block 612, 65 
where the process ends. On the other hand, if block 610 is 
false, which indicates that the pending stack is not empty, the 
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process proceeds from block 610 to block 614 where the 
process establishes a tunnel in response to an action stored 
at the pending stack. After block 614, the process proceeds 
to block 616. At block 616, the process examines whether 
the tunnel is established successfully. 

If the block 616 is true, the process proceeds from block 
616 to block 618. At block 618, the process pushes the action 
onto the completed stack and the process loops back to block 
610 to repeat the steps indicated in block 610. If block 616 
is false, which indicates that the tunnel has failed to 
establish, the process proceeds from block 616 to block 620. 

At block 620, the process examines whether the com- 
pleted stack is empty. If block 620 is true, which indicates 
that the completed stack is empty, the process proceeds to 
block 624 where the process ends. On the other hand, if 
block 620 is false, which indicates that the completed stack 
is not empty, the process proceeds from block 620 to block 
622. At block 622, the process tears down an established 
tunnel in response to the completed stack. After block 622, 
the process loops back to block 620 to repeat the steps 
indicated in block 620. 

FIG. 7 is a flowchart 700 illustrating an embodiment of a 
process for setting up tunnels using two stacks. The process 
begins at the start block and proceeds to block 702. At block 
702, the process receives a packet and proceeds to block 
704. At block 704, fields of source address, destination 
address, and protocols of the packet are identified. After 
block 704, the process examines whether the transport rules 
match with the packet parameters, such as, for example, the 
5-tuple, at block 706. If block 706 is false, which indicates 
that the transport rules does not match, the process moves to 
block 708 where the process ends. 

If block 706 is true, which indicates that at least a 
transport rule is matched, the process proceeds to block 710. 
At block 710, a corresponding transport action associated 
with the transport rule is pushed onto the pending stack. 
After block 710, the process proceeds to 712 where the 
process examines whether timnel rules may be matched. 

If block 712 is true, which indicates that the tunnel rule is 
matched, the process proceeds from block 712 to block 714. 
At block 714, a corresponding tunnel action associated with 
the tunnel rule is pushed onto the pending stack. After block 
714, the process proceeds to block 718 where the destination 
is set to the security gateway. After block 718, the process 
proceeds to block 712, where the process is repeated. 

If block 712 is false, which indicates that the tunnel rule 
has failed to match with the packet parameters, the process 
proceeds from block 712 to block 722 where the process 
examines whether the pending stack is empty. If block 722 
is true, which indicates that the pending state is empty, the 
process proceeds to block 724, where the process ends. If the 
block 722 is false, which indicates that the pending stack is 
not empty, the process proceeds from block 722 to block 
726. 

At block 726, an action from the pending stack is popped. 
The process subsequently, proceeds to block 728. At block 
728, a tunnel or transport action is performed. After block 
728, the process proceeds to block 730 where the process 
examines whether the action was performed successfully. If 
block 730 is true, which indicates that the action was 
performed successfully, the process proceeds from block 
730 to block 732 where the process pushes the action onto 
the completed stack. After block 732, the process proceeds 
to block 722 where the steps listed in block 722 is repeated. 

If block 730 is false, which indicates that the tunnel action 
failed, the process proceeds from block 730 to block 734. At 
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block 734, an action is popped from the completed stack. 
After block 734, the process proceeds from block 734 to 
block 736. At block 736, a corresponding action is torn 
down. After block 736, the process loops back to block 730 
where the steps listed in block 730 is repeated. 

In the foregoing detailed description, the method and 
apparatus of the present invention have been described with 
reference to specific exemplary embodiments thereof. It 
will, however, be evident that various modifications and 
changes may be made thereto without departing from the 
broader spirit and scope of the present invention. The 
present specification and figures are accordingly to be 
regarded as illustrative rather than restrictive. 

Thus, a method and a system for establishing at least one 
tunnel using a pending stack and a completed stack have 
been described. 

We claim: 

1. A method for establishing network tunnels comprising: 
identifying a transport action in response to packet param- 
eters; 

pushing at least one said transport action onto a pending 
stack; 

identifying a tunnel action in response to said packet 
parameters; 

pushing at least one said tunnel action onto said pending 
stack; and 

setting up at least one tunnel in response to said pending 
stack, said tunnel action stored at top of said pending 
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machine readable program code embodied in the medium, 
the program code comprising: 

identifying transport actions from transport rules; 

pushing at least one said transport action onto a pending 
stack; 

identifying tunnel actions from tunnel rules; 
pushing at least one tunnel action onto said pending stack; 
and 

setting up at least one tunnel in response to said pending 
stack, said tunnel action stored at top of said pending 
stack being performed first and said tunnel action 
stored at bottom of said pending slack being performed 
last. 

11. The article of manufacture of claim 10 further com- 
prising: 

popping an action from said pending stack; and 
pushing said action onto a completed stack when said 
tunnel action is performed successfully. 

12. The article of manufacture of claim 10 further com- 
prising: 

obtaining an action from said completed stack after a 

tunnel has failed to establish; and 
removing at least one tunnel in response to said action. 

13. The article of manufacture of claim 10 further com- 
prising continuing to remove tunnels until said completed 
stack becomes empty. 

14. The article of manufacture of claim 10, wherein said 
network tunnels are IPSEC tunnels. 

15. The article of manufacture of claim 10, wherein said 
identifying transport actions from transport rules further 



stack being performed first and said tunnel action 30 includes defining an IPSEC transport rule in response to 



stored at bottom of said pending stack being performed 
last. 

2. The method of claim 1, further comprising: 
receiving a packet over a network; 
identifying transport rules in response to said packet; and 
identifying tunnel rules in response to said packet. 

3. The method of claim 2, wherein said receiving a data 
packet includes identifying a TCP/IP ("Transmission Con- 
trol Protocol/Internet Protocol") data packet and parsing 
TCP/IP fields of protocol, source addresses, and destination 
addresses. 

4. The method of claim 1 further comprising: 
popping an action from said pending stack; and 
pushing said action onto a completed stack when said 

action is performed successfully. 

5. The method of claim 1 further comprising: 
popping an action from a completed stack action when 

said tunnel has failed to establish; and 
tearing down at least one tunnel in response to said action. 

6. The method of claim 5 further comprising continuing to 
tear down tunnels until said completed stack becomes 
empty. 

7. The method of claim 1, wherein said identifying 
transport actions from transport rules further includes defin- 
ing an IPSEC transport rule in response to source address, 
destination address, and protocol of each packet. 

8. The method of claim 1, wherein said identifying tunnel 
actions from tunnel rules further includes defining an IPSEC 
tunnel rule in response to source address, destination 
address, and protocol of said packet. 

9. The method of claim 8, wherein said defining said 
IPSEC tunnel rule further includes identifying virtual private 
network ("VPN") for tunnel connections. 

10. An article of manufacture for establishing network 65 becomes empty, 
tunnels to improve network security, the article of manu- 
facture comprising a machine readable medium having 



source address, destination address, and protocol of each 
packet. 

16. The article of manufacture of claim 10, wherein said 
identifying tunnel actions from tunnel rules further includes 

35 defining an IPSEC tunnel rule in response to source address, 
destination address, and protocol of each packet. 

17. The article of manufacture of claim 10, wherein said 
defining said IPSEC tunnel mle further includes identifying 
intermediate virtual private network ("VPN"). 

18. An apparatus for establishing network tunnels com- 
prising: 

means for identifying transport actions from transport 
rules; 

means for pushing at least one said transport action onto 

a pending stack; 
means for identifying tunnel actions from tunnel mles; 
means for pushing at least one tuinnel action onto said 

pending stack; and 
means for setting up at least one tunnel in response to said 
pending stack, said tunnel action stored at top of said 
pending stack being performed first and said tunnel 
action stored at bottom of said pending stack being 
performed last. 

19. An apparatus of claim 18 further comprising: 
means for obtaining an action from said pending stack; 

and 

means for storing said action onto a completed stack when 
said action is performed successfully. 

20. An apparatus of claim 18 further comprising: means 
for obtaining an action from said completed stack after a 
tunnel has failed to establish; and 

means for removing at least one tunnel in response to said 
tunnel action. 

21. An apparatus of claim further comprising means for 
continuing to remove tunnels until said completed stack 
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